如何使用Java验证证书是否为EV证书?

Question

如何使用Java验证证书是否为EV证书?

5

考虑以下示例代码，它使用 TrustManager 记录出站连接是否使用有效证书（但在所有情况下都接受连接）：

import java.security.*;
import java.security.cert.*;
import javax.net.ssl.*;

public class CertChecker implements X509TrustManager {

    private final X509TrustManager defaultTM;

    public CertChecker() throws GeneralSecurityException {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init((KeyStore)null);
        defaultTM = (X509TrustManager) tmf.getTrustManagers()[0];
    }

    public void checkServerTrusted(X509Certificate[] certs, String authType) {
        if (defaultTM != null) {
            try {
                defaultTM.checkServerTrusted(certs, authType);
                System.out.println("Certificate valid");
            } catch (CertificateException ex) {
                System.out.println("Certificate invalid: " + ex.getMessage());
            }
        }
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
    public X509Certificate[] getAcceptedIssuers() { return null;}

    public static void main(String[] args) throws Exception {
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, new TrustManager[] {new CertChecker()}, new SecureRandom());
        SSLSocketFactory ssf = (SSLSocketFactory) sc.getSocketFactory();
        ((SSLSocket)ssf.createSocket(args[0], 443)).startHandshake();
    }
}

在checkClientTrusted方法中，我需要做什么来检查该证书是扩展验证证书（现代浏览器中的绿色地址栏）还是普通证书（黄色地址栏）？

编辑：

我正在尝试使一个CertPathValidator工作，但不知何故，我只得到有关证书不是CA证书的异常... 有什么想法吗？

编辑2：使用PKIXParameters而不是PKIXBuilderParameters

private boolean isEVCertificate(X509Certificate[] certs, String authType) {
    try {
        CertPath cp = new X509CertPath(Arrays.asList(certs));
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(new FileInputStream(new File(System.getProperty("java.home"), "lib/security/cacerts")), null);
        PKIXParameters cpp = new PKIXParameters(ks);
        cpp.setRevocationEnabled(false);
        CertPathValidator cpv = CertPathValidator.getInstance("PKIX");          
        PKIXCertPathValidatorResult res = (PKIXCertPathValidatorResult) cpv.validate(cp, cpp);
        System.out.println(res.getTrustAnchor().getCAName());
        System.out.println(res.getPolicyTree().getValidPolicy());
        System.out.println(cp);
        return false;
    } catch (Exception ex) {
        ex.printStackTrace();
        return false;
    }
}

我正在针对真实世界的EV证书进行测试。代码现在可以与www.paypal.com一起使用（也就是说，它不会抛出异常），但无法与banking.dkb.de一起使用。:(

但即使是在Paypal.com上，信任锚点getCAName返回null，那么我怎么知道它是针对哪个CA进行验证的，以便我可以查找正确的EV策略？

- mihi

你的验证器代码有点不同，因为你正在使用PKIXBuilderParameters进行验证；通常我会只使用PKIXParameters（目标已知）。此外，你使用的证书链是通过“真正”的CA发行的，还是通过你自己签名的测试CA发行的？如果是后者，我会担心各种扩展。它们非常棘手，很难正确地满足PKIX验证器的要求。 - erickson

已经相应地更新了我的问题... - mihi

好的，请看一下我的示例。它适用于 https://banking.dkb.de/dkb/。 - erickson

好的，我看到了与 https://banking.dkb.de/ 相关的问题。实际上这是他们服务器的配置错误：他们发送了其中一个中间证书两次，如果您直接使用它，则会产生无效的证书链。当我使用我的 isEV 方法时，我实际上使用了一个 CertPathBuilder，并将从服务器接收到的整个链传递给它。该构建器能够创建正确的链路，忽略服务器错误发送的不必要证书。如果这是正确的，那么 EV 测试本身不应该失败，而应该是路径验证失败。 - erickson

3个回答

3

编辑：已发布附加代码。

如果您使用Sun的X509实现，可以像这样操作：

  CertificatePoliciesExtension ext = ((X509CertImpl)cert).getCertificatePoliciesExtension();
  List<PolicyInformation> policies = (List<PolicyInformation>)ext.get(CertificatePoliciesExtension.POLICIES);
  boolean evCert = false;
  for (PolicyInformation info : policies) {
      CertificatePolicyId id = info.getPolicyIdentifier();
      if (isEVPolicy(id)) {
         evCert = true;
         break;                 
      }             
  }

  ......

  public static ObjectIdentifier[] EV_POLICIES;

  static {
      try {
          EV_POLICIES = new ObjectIdentifier[] {
                new ObjectIdentifier("2.16.840.1.113733.1.7.23.6"), // Verisign
                new ObjectIdentifier("1.3.6.1.4.1.14370.1.6"), // Geo-Trust of Verisign
                new ObjectIdentifier("2.16.840.1.113733.1.7.48.1") // Thawte
          };
      } catch (IOException e) {
        throw new IllegalStateException("Invalid OIDs");
      }
  }

  private boolean isEVPolicy(CertificatePolicyId id) {
    for (ObjectIdentifier oid : EV_POLICIES) {
        if (oid.equals((Object)id.getIdentifier())) 
            return true;
    }
    return false;
 }

我们只允许来自3个CA的EV证书。您可以在该数组中添加更多的EV OIDs。您可以从此处获取OID的完整列表。

- ZZ Coder

不行。这会给你提供所有的策略扩展，而不仅仅是指出证书满足“扩展验证”要求的那些。 - jarnbjo

2

我的银行例如使用了一个常规的3级Verisign证书，策略为2.16.840.1.113733.1.7.23.3（非EV）。 - jarnbjo

你能告诉我银行的名字，这样我就可以查一下吗？我被告知这个扩展名专门用于 EV。无论如何，我发布了更多的代码，其中包括检查策略的部分。 - ZZ Coder

1

此外，您的代码虽然有帮助，但仍不完整。例如，您需要确保策略有效，考虑到证书路径上面的更高级别策略。另外，至少要确保策略ID与发行者匹配。 - erickson

1

验证 EV 证书的过程确实很复杂。不幸的是，我无法发布整个类（800 行长）。我们从 Firefox 复制了我们的逻辑。请参考我的答案中提到的 C++ 代码以获取完整的逻辑。 - ZZ Coder

显示剩余2条评论

3

我终于让它工作了...下面是一个运行的最小示例，显示了所有的逻辑和检查。是的，它适用于 banking.dkb.de :-)

感谢所有帮助过我的人。欢迎对明显的安全漏洞或其他任何事情（除了代码风格或缺少错误处理;我尽力将我的代码压缩到可运行代码的绝对最小值）发表评论，所以请随意评论 :)

import java.io.*;
import java.security.*;
import java.security.cert.*;
import java.util.*;

import javax.net.ssl.*;
import javax.security.auth.x500.X500Principal;

public class CertChecker implements X509TrustManager {

    private final X509TrustManager defaultTM;

    public CertChecker() throws GeneralSecurityException {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init((KeyStore)null);
        defaultTM = (X509TrustManager) tmf.getTrustManagers()[0];
    }

    public void checkServerTrusted(X509Certificate[] certs, String authType) {
        if (defaultTM != null) {
            try {
                defaultTM.checkServerTrusted(certs, authType);
                if (isEVCertificate(certs))
                    System.out.println("EV Certificate: "+ certs[0].getSubjectX500Principal().getName() + " issued by " + certs[0].getIssuerX500Principal().getName());                    
                System.out.println("Certificate valid");
            } catch (CertificateException ex) {
                System.out.println("Certificate invalid: " + ex.getMessage());
            }
        }
    }

    private boolean isEVCertificate(X509Certificate[] certs) {
        try {
            // load keystore with trusted CA certificates
            KeyStore cacerts = KeyStore.getInstance("JKS");
            cacerts.load(new FileInputStream(new File(System.getProperty("java.home"), "lib/security/cacerts")), null);

            // build a cert selector that selects the first certificate of the certificate chain
            // TODO we should verify this against the hostname...
            X509CertSelector targetConstraints = new X509CertSelector();
            targetConstraints.setSubject(certs[0].getSubjectX500Principal());

            // build a cert path from our selected cert to a CA cert
            PKIXBuilderParameters params = new PKIXBuilderParameters(cacerts, targetConstraints);        
            params.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(certs))));
            params.setRevocationEnabled(false);
            CertPath cp = CertPathBuilder.getInstance("PKIX").build(params).getCertPath();

            // validate the cert path
            PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(cp, params);
            return isEV(result);
        } catch (Exception ex) {
            ex.printStackTrace();
            return false;
        }
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}
    public X509Certificate[] getAcceptedIssuers() { return null;}

    public static void main(String[] args) throws Exception {
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, new TrustManager[] {new CertChecker()}, new SecureRandom());
        SSLSocketFactory ssf = (SSLSocketFactory) sc.getSocketFactory();
        ((SSLSocket)ssf.createSocket(args[0], 443)).startHandshake();
    }

    private static final Map<X500Principal, String> policies = new HashMap<X500Principal, String>();

    static {
        // It would make sense to populate this map from Properties loaded through 
        // Class.getResourceAsStream().
        policies.put(
                new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\\, Inc.,C=US"), 
                "2.16.840.1.113733.1.7.23.6"
        );
        // TODO add more certificates here
    }

    // based on https://dev59.com/l0rSa4cB1Zd3GeqPUTE3
    static boolean isEV(PKIXCertPathValidatorResult result)
    {
        // Determine the policy to look for.
        X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal();
        System.out.println("[Debug] Found root DN: "+root.getName());
        String policy = policies.get(root);
        if (policy != null)
            System.out.println("[Debug] EV Policy should be: "+policy);

        // Traverse the tree, looking at its "leaves" to see if the end-entity 
        // certificate was issued under the corresponding EV policy.
        PolicyNode tree = result.getPolicyTree();
        if (tree == null)
            return false;
        Deque<PolicyNode> stack = new ArrayDeque<PolicyNode>();
        stack.push(tree);
        while (!stack.isEmpty()) {
            PolicyNode current = stack.pop();
            Iterator<? extends PolicyNode> children = current.getChildren();
            int leaf = stack.size();
            while (children.hasNext())
                stack.push(children.next());
            if (stack.size() == leaf) {
                System.out.println("[Debug] Found policy: " + current.getValidPolicy());
                // If the stack didn't grow, there were no "children". I.e., the 
                // current node is a "leaf" node of the policy tree.
                if (current.getValidPolicy().equals(policy))
                    return true;
            }
        }
        // The certificate wasn't issued under the authority's EV policy.
        return false;
    }
}

- mihi

哇！谢谢你！那真的帮了我很多！ - MicD

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- erickson · Accepted Answer

首先，您需要一张发行者名称及其相应的 EV 策略标识符表。

当 CA 发布证书时，他们可以注明发布证书的策略。该策略的标识符由发行者分配，因此您需要一个发行者和其 EV 策略列表。

然后，您需要从服务器证书中获取策略。参考 RFC 5280，§ 4.1.2.4 以了解有关策略的一般信息以及它们的工作原理。

您需要验证证书链以获得 PKIXCertPathValidatorResult。 结果的一部分是策略树。您可以浏览策略树以确定是否包括目标证书发行者的 EV 策略。

这是一个检查证书路径结果的详细示例。

private static final Map<X500Principal, String> policies = new HashMap<X500Principal, String>();

static {
  /* 
   * It would make sense to populate this map from Properties loaded through 
   * Class.getResourceAsStream().
   */
  policies.put(
    new X500Principal("OU=Class 3 Public Primary Certification Authority,O=VeriSign\\, Inc.,C=US"), 
    "2.16.840.1.113733.1.7.23.6"
  );
  // ...
}

static boolean isEV(PKIXCertPathValidatorResult result)
{
  /* Determine the policy to look for. */
  X500Principal root = result.getTrustAnchor().getTrustedCert().getSubjectX500Principal();
  String policy = policies.get(root);
  if (policy == null)
    /* The EV policy for this issuer is unknown (or there is none). */
    return false;
  /* Traverse the tree, looking at its "leaves" to see if the end-entity 
   * certificate was issued under the corresponding EV policy. */
  PolicyNode tree = result.getPolicyTree();
  Deque<PolicyNode> stack = new ArrayDeque<PolicyNode>();
  stack.push(tree);
  while (!stack.isEmpty()) {
    PolicyNode current = stack.pop();
    Iterator<? extends PolicyNode> children = current.getChildren();
    int leaf = stack.size();
    while (children.hasNext())
      stack.push(children.next());
    if (stack.size() == leaf) {
      /* If the stack didn't grow, there were no "children". I.e., the 
       * current node is a "leaf" node of the policy tree. */
      if (current.getValidPolicy().equals(policy))
        return true;
    }
  }
  /* The certificate wasn't issued under the authority's EV policy. */
  return false;
}